Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 321

    Page 321 11-47 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection –Default Level—Sets the security level back to the default level of Low. Add/Edit IPsec Pass Thru Policy Map (Security Level) The Add/Edit IPsec Pass Thru Policy Map (Security Level) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > IPsec Pass Through> IPsec Pass Through Inspect Map > Basic View The Add/Edit... 
     
11-47
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  IPsec Pass Through Inspection
–Default Level—Sets the security level back to the default level of Low.
Add/Edit IPsec Pass Thru Policy Map (Security Level)
The Add/Edit IPsec Pass Thru Policy Map (Security Level) dialog box is accessible as follows:
Configuration > Global Objects  > Inspect Maps > IPsec Pass Through> 
IPsec Pass Through Inspect Map > Basic View
The Add/Edit...

    Page 322

    Page 322 11-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Parameters—Configures ESP and AH parameter settings. –Limit ESP flows per client—Limits ESP flows per client. Maximum—Specify maximum limit. –Apply ESP idle timeout—Applies ESP idle timeout. Timeout—Specify timeout. –Limit AH flows per client—Limits AH flows per client. Maximum—Specify maximum limit. –Apply AH idle timeout—Applies AH idle timeout.... 
     
11-48
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  IPv6 Inspection
Parameters—Configures ESP and AH parameter settings.
–Limit ESP flows per client—Limits ESP flows per client.
Maximum—Specify maximum limit.
–Apply ESP idle timeout—Applies ESP idle timeout.
Timeout—Specify timeout.
–Limit AH flows per client—Limits AH flows per client.
Maximum—Specify maximum limit.
–Apply AH idle timeout—Applies AH idle timeout....

    Page 323

    Page 323 11-49 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Step 2Click Add. The Add IPv6 Inspection Map dialog box appears. Step 3Enter a name and description for the inspection map. By default, the Enforcement tab is selected and the following options are selected: Permit only known extension headers Enforce extension header order When Permit only known extension headers is selected, the ASA verifies the IPv6... 
     
11-49
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  IPv6 Inspection
Step 2Click Add. The Add IPv6 Inspection Map dialog box appears. 
Step 3Enter a name and description for the inspection map.
By default, the Enforcement tab is selected and the following options are selected:
Permit only known extension headers
Enforce extension header order
When Permit only known extension headers is selected, the ASA verifies the IPv6...

    Page 324

    Page 324 11-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection You can configure IPv6 inspection as part of a new service policy rule, or you can edit an existing service policy. Step 2On the Rule Actions dialog box, click the Protocol Inspections tab. Step 3Check the IPv6 check box. Step 4(Optional) To add an IPv6 inspection policy map that you configured in the “(Optional) Configuring an IPv6 Inspection Policy Map”... 
     
11-50
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  NetBIOS Inspection
You can configure IPv6 inspection as part of a new service policy rule, or you can edit an existing service 
policy.
Step 2On the Rule Actions dialog box, click the Protocol Inspections tab.
Step 3Check the IPv6 check box.
Step 4(Optional) To add an IPv6 inspection policy map that you configured in the “(Optional) Configuring an 
IPv6 Inspection Policy Map”...

    Page 325

    Page 325 11-51 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols PPTP Inspection Add—Opens the Add Policy Map dialog box for the inspection. NetBIOS Inspect Map The NetBIOS Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > NetBIOS The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for... 
     
11-51
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  PPTP Inspection
Add—Opens the Add Policy Map dialog box for the inspection.
NetBIOS Inspect Map
The NetBIOS Inspect Map dialog box is accessible as follows:
Configuration > Global Objects  > Inspect Maps > NetBIOS
The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A 
NetBIOS map lets you change the default configuration values used for...

    Page 326

    Page 326 11-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 1701, RFC 1702]. Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version... 
     
11-52
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP 
control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 
1701, RFC 1702].
Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response 
sequence. Only PPTP Version...

    Page 327

    Page 327 11-53 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection Other extended SMTP commands, such as AT R N, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as “500 Command unknown: XXX.” Incomplete commands are discarded. The ESMTP inspection engine changes the... 
     
11-53
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
Other extended SMTP commands, such as AT R N, ONEX, VERB, CHUNKING, and private extensions 
and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal 
server. This results in a message such as “500 Command unknown: XXX.” Incomplete commands are 
discarded.
The ESMTP inspection engine changes the...

    Page 328

    Page 328 11-54 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection ESMTP Inspect Map The ESMTP Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection. Since ESMTP traffic can... 
     
11-54
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
ESMTP Inspect Map
The ESMTP Inspect Map dialog box is accessible as follows:
Configuration > Global Objects  > Inspect Maps > ESMTP
The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP 
map lets you change the default configuration values used for ESMTP application inspection. 
Since ESMTP traffic can...

    Page 329

    Page 329 11-55 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection –Default Level—Sets the security level back to the default level of Low. MIME File Type Filtering The MIME File Type Filtering dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP > MIME File Type Filtering The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type... 
     
11-55
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
–Default Level—Sets the security level back to the default level of Low.
MIME File Type Filtering
The MIME File Type Filtering dialog box is accessible as follows:
Configuration > Global Objects  > Inspect Maps > ESMTP > MIME File Type Filtering
The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type...

    Page 330

    Page 330 11-56 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than 320 Drop Connections if MIME file name length is greater than 255 –High Obfuscate Server Banner Drop... 
     
11-56
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
Drop Connections if command line length is greater than 512
Drop Connections if command recipient count is greater than 100
Drop Connections if body line length is greater than 1000
Drop Connections if sender address length is greater than 320
Drop Connections if MIME file name length is greater than 255
–High
Obfuscate Server Banner
Drop...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals